GDPR Compliance
Last updated: June 16, 2026
We take the EU General Data Protection Regulation (GDPR) and similar privacy laws (UK GDPR, Swiss FADP, California CCPA/CPRA) seriously. This page is an honest summary of where we are today and what is still in progress. We will update it as we ship improvements.
Status (plain English): We are not yet fully GDPR compliant. The core user-rights tooling is in place (export, delete, consent banner, privacy policy). Several formal items — a signed DPA process, a published sub-processor list, an EU data residency option, and a documented breach-response runbook — are in progress. If you are an EU-based business that requires a signed DPA before using Peersly, please contact us.
What’s in place today
- Right of access & portability — every member can download a ZIP of all data we hold about them from Support → GDPR.
- Right to erasure — every member can permanently delete their account and personal data from Support → GDPR.
- Right to rectification — members can edit their own profile, preferences, and contact info at any time.
- Right to restrict processing — members can pause matching at any time from their Profile.
- Privacy Policy covering what we collect, why, and how long we keep it.
- Cookie banner with accept/reject choice on first visit, and re-openable from the Cookie Policy.
- Row-Level Security on every user data table — one member cannot read another’s data through the API.
- Encryption in transit (TLS) on every domain, and encryption at rest for the database and file storage.
- Calendar tokens encrypted with a dedicated key before being stored.
- One-click unsubscribe on every marketing / notification email.
- SOC 2 Type II & ISO 27001 certified infrastructure — our hosting and database provider (Lovable Cloud, built on Supabase) carries both certifications.
What’s in progress
- Data Processing Agreement (DPA) — template available on request; self-serve signing flow is being built.
- Published sub-processor list — we use Lovable Cloud / Supabase (hosting + database), Stripe (payments), Resend (email), Cloudflare (CDN + WAF), Vimeo (video hosting), Meta Platforms (Facebook / Instagram advertising pixel, only after cookie consent), and optionally Google & Microsoft (calendar sync, only if you connect them). A formal versioned list with change notifications is being prepared.
- EU data residency — Lovable Cloud supports choosing the EU region for new projects. We are evaluating a migration of EU customer data to an EU-region project.
- Signup consent checkboxes — explicit, separate, unticked checkboxes for Privacy Policy + Terms acceptance and an independent marketing-email opt-in, with timestamped policy version.
- Automated data retention — scheduled purging of old chat attachments, ended-match data, and inactive accounts.
- Breach notification runbook — documented 72-hour incident response process for notifying supervisory authorities and affected users.
- Data Protection Impact Assessment (DPIA) for AI-assisted matching.
- Named Data Protection contact — published email (privacy@peersly.com) in place; designating a formal EU representative for non-EU customers is in progress.
Lawful bases we rely on
- Contract — to provide the matching, scheduling, chat, and training features you signed up for.
- Legitimate interests — security, fraud prevention, basic product analytics, and improving the service.
- Consent — non-essential cookies, marketing emails, and connecting third-party accounts (calendar, payment).
- Legal obligation — tax records, fraud reports, and lawful requests from authorities.
How to exercise your rights
Members can export or delete their data instantly from Support → GDPR inside the member area. For any other request — access, rectification, restriction, objection, DPA signing, or to lodge a complaint — email privacy@peersly.com. We aim to respond within 30 days.
You also have the right to lodge a complaint with your local supervisory authority (in the EU, your national Data Protection Authority).
Questions
Email privacy@peersly.com.